phpBugTracker 1.0.5 Multiple Reflected XSS Vulnerabilities

Title: phpBugTracker 1.0.5 Multiple Reflected XSS Vulnerabilities
Advisory ID: ZSL-2011-4996
Type: Remote
Impact: Cross-Site Scripting
Risk: (2/5)
Release Date: 18.02.2011
Summary
phpBugTracker is a web-based bug tracker with functionality similar to other issue tracking systems, such as Bugzilla. Design focuses on separating the presentation, application, and database layers. phpBugTracker is lightweight and easy to install, operate and administer. Most text can be customized for your application.
Description
phpBugTracker suffers from multiple cross-site scripting vulns. The issue is triggered when input passed via the 'form' parameter to the 'query.php' script is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 'query.php' and 'newaccount.php' are also vulnerable because they fail to perform filtering when using the REQUEST_URI variable.
Vendor
Benjamin Curtis - http://phpbt.sourceforge.net/
Affected Version
1.0.5
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vendor Status
N/A
PoC
phpbt_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://securityreason.com/exploitalert/9996
[2] http://packetstormsecurity.org/files/98572
[3] http://securityreason.com/wlb_show/WLB-2011020088
[4] http://www.hxcode.com/read.php?tid-13105.html
Changelog
[18.02.2011] - Initial release
[22.02.2011] - Added reference [3]
[28.02.2011] - Added reference [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk